There’s no right answer to this question, but in this article, we’ll provide you with some guidance on deciding on what to implement on your websites.

First, our Managed Wordpress Hosting implements security as part of the hardware stack on your behalf:

1) The very good 7G Web application firewall

2) Fail2Ban that keeps brute force login hackers away

3) Your DNS and domain are with CloudFlare

4) We also run a malware scanner called Maldet and Clam AV for antivirus 

Mostly these are more than enough to keep your site safe. 

Security plugins aren’t all upside and no downside. In fact, many of the most popular security plugins have had security vulnerabilities themselves. Some may also:

1. Be resource intensive and/or slow your sites down.
2. Create false positives.
3. Cause database table locking which can literally cause 502/504s across ALL of your websites on a given server.
4. Cause fatal errors and break sites when migrating when from host to another.
5. First target for hackers, after all if your security plugin breaks then they have free reign over your site. 

They can also provide a false sense of security, and implementing security at the application layer is far less preferable to security at the DNS and server layers before malicious traffic even has a chance to reach your websites in the first place.

Bear in mind that the number one way a hacker can get in to deface your site is through poor security hygiene. This means you are using a weak password on your administrator accounts, or have used the same password in multiple places. Read our guide about the most common Wordpress access points for hackers. 

WordFence—This has probably the best malware scanner available and would be a good reason to install it, but do your homework to ensure it is configured correctly. The best upside to this is the alert when a plugin is found to have a vulnerability. Do not use the 2-factor system here as the keys are saved in the database, and any plugin on your site with database read access (all of them) could give access to these critical keys. 

Generally, we don't install Wordfence as the protections already in place mean we rarely see any infections. See our Wordpress Security Overview